def testParseFileObjectOnExecutable(self): """Tests the ParseFileObject on a PE executable (EXE) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_pe.exe'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'pe:compilation:compilation_time', 'pe_type': 'Executable (EXE)', 'timestamp': '2015-04-21 14:53:56.000000' } self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_event_values = { 'data_type': 'pe:import:import_time', 'timestamp': '2015-04-21 14:53:55.000000' } self.CheckEventValues(storage_writer, events[1], expected_event_values) expected_event_values = { 'data_type': 'pe:delay_import:import_time', 'dll_name': 'USER32.dll', 'imphash': '8d0739063fc8f9955cc6696b462544ab', 'pe_type': 'Executable (EXE)', 'timestamp': '2015-04-21 14:53:54.000000' } self.CheckEventValues(storage_writer, events[2], expected_event_values)
def testParseFileObjectOnExecutable(self): """Tests the ParseFileObject on a PE executable (EXE) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_pe.exe'], parser) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:56.000000') self.assertEqual(event.data_type, 'pe:compilation:compilation_time') self.assertEqual(event.pe_type, 'Executable (EXE)') event = events[1] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:55.000000') self.assertEqual(event.data_type, 'pe:import:import_time') event = events[2] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000') self.assertEqual(event.data_type, 'pe:delay_import:import_time')
def testParseFileObjectOnDriver(self): """Tests the ParseFileObject on a PE driver (SYS) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_driver.sys'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 1) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'pe', 'date_time': '2015-04-21 14:53:54', 'pe_attribute': None, 'pe_type': 'Driver (SYS)', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectEXE(self): """Tests the ParseFileObject method against an EXE PE file.""" test_path = self._GetTestFilePath([u'test_pe.exe']) parser = pe.PEParser() event_queue_consumer = self._ParseFile(parser, test_path) events = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(events), 3) first_event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2015-04-21 14:53:56') self.assertEqual(first_event.pe_type, u'Executable (EXE)') self.assertEqual(first_event.timestamp, expected_timestamp) self.assertEqual(first_event.data_type, u'pe:compilation:compilation_time') second_event = events[1] expected_timestamp2 = timelib.Timestamp.CopyFromString( u'2015-04-21 14:53:55') self.assertEqual(second_event.timestamp, expected_timestamp2) self.assertEqual(second_event.data_type, u'pe:import:import_time') third_event = events[2] expected_timestamp3 = timelib.Timestamp.CopyFromString( u'2015-04-21 14:53:54') self.assertEqual(third_event.timestamp, expected_timestamp3) self.assertEqual(third_event.data_type, u'pe:delay_import:import_time')
def testParseFileObjectOnExecutable(self): """Tests the ParseFileObject on a PE executable (EXE) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_pe.exe'], parser) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2015-04-21 14:53:56') self.assertEqual(event.pe_type, 'Executable (EXE)') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.data_type, 'pe:compilation:compilation_time') event = events[1] expected_timestamp = timelib.Timestamp.CopyFromString( '2015-04-21 14:53:55') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.data_type, 'pe:import:import_time') event = events[2] expected_timestamp = timelib.Timestamp.CopyFromString( '2015-04-21 14:53:54') self.assertEqual(event.timestamp, expected_timestamp) self.assertEqual(event.data_type, 'pe:delay_import:import_time')
def testDriver(self): """Tests the ParseFileObject method against a driver (SYS) PE file.""" test_path = self._GetTestFilePath([u'test_driver.sys']) parser = pe.PEParser() event_queue_consumer = self._ParseFile(parser, test_path) events = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(events), 1) first_event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2015-04-21 14:53:54') self.assertEqual(first_event.pe_type, u'Driver (SYS)') self.assertEqual(first_event.timestamp, expected_timestamp)
def testParseFileObjectOnExecutable(self): """Tests the ParseFileObject on a PE executable (EXE) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_pe.exe'], parser) number_of_events = storage_writer.GetNumberOfAttributeContainers( 'event') self.assertEqual(number_of_events, 3) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'pe', 'date_time': '2015-04-21 14:53:56', 'pe_attribute': None, 'pe_type': 'Executable (EXE)', 'timestamp_desc': definitions.TIME_DESCRIPTION_CREATION } self.CheckEventValues(storage_writer, events[2], expected_event_values) expected_event_values = { 'data_type': 'pe', 'date_time': '2015-04-21 14:53:55', 'pe_attribute': 'DIRECTORY_ENTRY_IMPORT', 'pe_type': 'Executable (EXE)', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[1], expected_event_values) expected_event_values = { 'data_type': 'pe', 'date_time': '2015-04-21 14:53:54', 'dll_name': 'USER32.dll', 'imphash': '8d0739063fc8f9955cc6696b462544ab', 'pe_attribute': 'DIRECTORY_ENTRY_DELAY_IMPORT', 'pe_type': 'Executable (EXE)', 'timestamp_desc': definitions.TIME_DESCRIPTION_MODIFICATION } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnDriver(self): """Tests the ParseFileObject on a PE driver (SYS) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_driver.sys'], parser) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000') self.assertEqual(event.pe_type, 'Driver (SYS)')
def testParseFileObjectOnDriver(self): """Tests the ParseFileObject on a PE driver (SYS) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_driver.sys'], parser) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] expected_timestamp = timelib.Timestamp.CopyFromString( '2015-04-21 14:53:54') self.assertEqual(event.pe_type, 'Driver (SYS)') self.assertEqual(event.timestamp, expected_timestamp)
def testParseFileObjectOnDriver(self): """Tests the ParseFileObject on a PE driver (SYS) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_driver.sys'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) expected_event_values = { 'pe_type': 'Driver (SYS)', 'timestamp': '2015-04-21 14:53:54.000000' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnDriver(self): """Tests the ParseFileObject on a PE driver (SYS) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_driver.sys'], parser) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetSortedEvents()) expected_event_values = { 'data_type': 'pe:compilation:compilation_time', 'date_time': '2015-04-21 14:53:54', 'pe_type': 'Driver (SYS)' } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testParseFileObjectOnExecutable(self): """Tests the ParseFileObject on a PE executable (EXE) file.""" parser = pe.PEParser() storage_writer = self._ParseFile(['test_pe.exe'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 3) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:56.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'pe:compilation:compilation_time') self.assertEqual(event_data.pe_type, 'Executable (EXE)') event = events[1] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:55.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'pe:import:import_time') event = events[2] self.CheckTimestamp(event.timestamp, '2015-04-21 14:53:54.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'pe:delay_import:import_time') expected_message = ( 'DLL name: USER32.dll ' 'PE Type: Executable (EXE) ' 'Import hash: 8d0739063fc8f9955cc6696b462544ab') expected_short_message = 'USER32.dll' self._TestGetMessageStrings( event_data, expected_message, expected_short_message)